Prerequisites

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Enhanced Connector Enhanced connectors add extended capabilities and require a separate entitlement in addition to your Alation platform license.

Supported Deployment Types

  • Alation Cloud Service (ACS)

  • Customer-managed Alation

Connector Requirements

  • Alation Connector Manager (ACM) must be installed and running for OCF connectors.

  • For ACS, ensure the Alation Agent is installed and running.

  • The connector is compatible with Alation version 2024.3 and higher.

Network and Firewall Configuration

Ensure the following network connectivity from the connector host:

Endpoint

Port

Protocol

Purpose

maxcompute.<region>.aliyuncs.com

443

HTTPS

MaxCompute OpenAPI

dataworks.<region>.aliyuncs.com

443

HTTPS

DataWorks API

service.<region>.maxcompute.aliyun.com

80

HTTP

JDBC endpoint

Replace <region> with your Alibaba Cloud region (for example, cn-hangzhou, us-east-1).

Authentication Requirements

The connector requires Alibaba Cloud RAM (Resource Access Management) credentials:

  1. Access Key ID: The RAM user’s Access Key ID

  2. Access Key Secret: The RAM user’s Access Key Secret

Creating a RAM User

  1. Log in to the Alibaba Cloud RAM Console.

  2. Navigate to Users and click Create User.

  3. Enable Programmatic Access for the user to generate Access Keys.

  4. Save the Access Key ID and Access Key Secret securely.

Access Requirements

The MaxCompute connector requires multiple levels of access. Configure the following permissions based on the features you plan to use.

1. RAM Policy: AliyunMaxComputeFullAccess

Used by: Test Connection, Filter Extraction (project discovery), MDE

Attach the AliyunMaxComputeFullAccess managed policy to the RAM user, or create a custom policy with the following permissions:

API Action

Feature

Purpose

maxcompute:ListProjects

Test Connection, Filter Extraction, QLI

Discover all projects in the tenant

maxcompute:ListTables

MDE

List tables in each project

maxcompute:GetTableInfo

MDE

Get table details (columns, types, comments)

maxcompute:ListFunctions

MDE

List UDFs in each project

2. RAM Policy: AliyunDataWorksFullAccess

Used by: Lineage

Attach the AliyunDataWorksFullAccess managed policy to the RAM user, or create a custom policy with the following permissions:

API Action

Feature

Priority

Purpose

dataworks:ListProjects

Lineage

Required

Map MaxCompute projects to DataWorks project IDs

dataworks:ListTables

Lineage

Required

List tables with metadata (owner, description, create/modify time)

dataworks:ListColumns

Lineage

Required

List columns with types, comments, PK/FK/partition info

dataworks:ListDataSources

Lineage

Required

Discover data sources in each DataWorks project

dataworks:ListLineages

Lineage

Required

Get table-level and column-level lineage relationships

dataworks:GetTaskInstance

Lineage

Optional

Enrich dataflow with script content, status, owner, execution times

dataworks:ListNodes

Lineage

Optional

Enrich dataflow with scheduling metadata (cron, script path, recurrence)

3. MaxCompute Tenant-Level Role: infoschema_admin

Used by: QLI (Query Log Ingestion)

Requirement

Details

Role

infoschema_admin (tenant-level, NOT project-level)

Assigned via

MaxCompute Console > Tenants > Users > Assign Role

Grants access to

acs:odps:*:catalogs/system_catalog resources

Enables

SYSTEM_CATALOG.INFORMATION_SCHEMA.TASKS_HISTORY cross-project query

Not a RAM policy

This is a MaxCompute internal role, not an Alibaba Cloud RAM policy

Role Policy:

{
    "Statement": [{
            "Action": ["odps:Describe", "odps:Select"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:catalogs/system_catalog/schemas/information_schema/tables/*"]
        },
        {
            "Action": ["odps:List"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:catalogs/system_catalog/schemas/information_schema"]}
    ],
    "Version": "1"
}

4. MaxCompute Project-Level Membership (JDBC Access)

Used by: QLI (entry point), Profiling, Compose

The RAM user must be added as a member to each project they need JDBC access to. Assign membership via MaxCompute Console > Project > Members.

Requirement

Feature

Purpose

odps:Read on at least 1 project

QLI

JDBC entry point for SYSTEM_CATALOG query

odps:Read on profiled projects

Profiling (sampling)

Execute SELECT MIN(), MAX(), AVG()… queries per-project

odps:Read + odps:CreateInstance on Compose projects

Compose

Execute user-written SQL queries

Grant project-level access using the MaxCompute console or the following command:

-- Grant read access to a user
GRANT Read, CreateInstance ON PROJECT <project_name> TO USER <ram_user>;

-- Or assign a built-in role
GRANT role_project_reader TO USER <ram_user>;

DataWorks Configuration

For lineage extraction and enhanced metadata, ensure:

  1. DataWorks Data Map is enabled for your workspace.

  2. The MaxCompute projects are registered as data sources in DataWorks.

  3. The RAM user has access to the DataWorks workspace.

Note

Lineage extraction uses the DataWorks Public API. If DataWorks is not configured or the RAM user lacks permissions, lineage extraction will be skipped but metadata extraction will continue.

JDBC Requirements

For QLI, Compose, and Profiling, the connector uses MaxCompute JDBC:

  • JDBC Driver: com.aliyun.odps.jdbc.OdpsDriver version 3.2.0 (bundled with the connector)

  • JDBC URL Format: jdbc:odps:http://service.<region>.maxcompute.aliyun.com/api?project=<project_name> (the jdbc: prefix is optional)

Authentication:

  • Compose: Per-user authentication. Each user provides their own Access Key ID (as username) and Access Key Secret (as password). Service account credentials are not used.

  • Sampling and Profiling: Uses service account Access Key ID and Access Key Secret.

  • QLI: Uses service account Access Key ID and Access Key Secret with tenant-level infoschema_admin role.